Monday, July 6, 2009

MoTB #06: Multiple vulnerabilities in TwitPic

What is TwitPic
"TwitPic lets you share photos on Twitter." (TwitPic home page)


Twitter affect
TwitPic can be used to send tweets by uploading new photos, sending them via email, or posting comments on existing photos.
TwitPic is using Username/Password authentication in order to utilize the Twitter API.


Popularity rate
Most popular Twitter photo sharing service. Most visited Twitter 3rd party website, according to Compete - 5 twits



Vulnerabilities
1) Cross-Site Request Forgery in the Email PIN Settings page.
Status: Patched.
Details: This vulnerability was reported by dblackshell. See dblackshell's advisory for more details: http://insanesecurity.info/blog/twitpic-modern-twitter-backdoor

Few days before "Month of Twitter Bugs" has started, attackers found Britney Spears' TwitPic email PIN number by using a brute force attack (which was also fixed by TwitPic).  Instead, they could have easily used this CSRF vulnerability in order to tweet the fake death announcement.


2) Cross-Site Request Forgery in the comments form.
Status: Patched
Details: The comments form on each TwitPic picture web page did not use authenticity code in order to validate that the HTTP request POST is coming from the TwitPic web application.  This could have been used by an attacker to send comments on behalf of its victims, which could have also tweet the comments in Twitter.


3) Persistent Cross-Site Scripting in the TwitPic profile page.
Status: Patched.
Details: This vulnerability was first reported to TwitPic on May 18th 2009, and posted on my blog.  TwitPic did not encode HTML entities in the information it imported from the Twitter profile, and displayed in the TwitPic profile.



Vendor response rate
It took TwitPic only an hour to fix the vulnerabilities. 


In conclusion
TwitPic has a large user base, and I'm happy that they are taking security very seriously. They also take the blame when needed. I'll keep using TwitPic as my main Twitter photo sharing service.